CVE Explained
xRogue,
Mar 26
2024
Openfire is a real-time collaboration (RTC) server licensed under the Open Source Apache License. It is written in Java and uses the XMPP protocol for instant messaging. During our work, Hack The Box was able to identify two improper access control issues affecting the application.
The first issue lies in the way the application is managing deleted administrative users. When an administrative user is created, his admin privileges are saved in a system property called admin.authorizedJIDs and the key used is the account’s username. If the administrative user is deleted, his username is not deleted from the admin.authorizedJIDs system property.
This way, if a new user is created with the same username, the new user is automatically an administrator. The new user does not need to be created from the administrative panel of the application. It can be created through an XMPP registration. This issue is registered as CVE-2024-25420.
The second issue is similar, but the underlying cause is different.
If a user is added to a group chat, his affiliation along with other related data are stored in the cache.
When this user is deleted, the cache is not updated to reflect the new state of the group, allowing a new user with the same username to gain access to the group chat with the same level of privileges as the previously deleted user. This issue is registered as CVE-2024-25421.
To replicate this vulnerability, take the following steps:
1. Create an admin user.
2. Delete the admin user.
3. Create a new user with the same username as the deleted admin user. We created the user through XMPP using pidgin for this example.
4. Log in with the new account through the web application.
To replicate CVE-2024-25421, take the following steps:
1. Create a new user and add him to a group chat (under any affiliation – for this example, Admin).